diff options
| author |   Alan Bishop <abishop@redhat.com> | 2017-07-28 10:30:27 -0400 |
|---|---|---|
| committer | Alan Bishop <abishop@redhat.com> | 2017-07-30 15:11:55 -0400 |
| commit | 5ae3fab74381403cc76525ba3ff63a60836c17c1 (patch) | |
| tree | c12358bbc6ce2e1ecb3ce501fcf83f9185d5e516 | |
| parent | ab8167978569041e79fd9edbfd66359b528116cd (diff) | |
Fix legacy nova/cinder encryption key manager configuration
Recent changes in Nova [0] and Cinder [1] result in Barbican being selected
as the default encryption key manager, even when TripleO is not deploying
Barbican.
This change ensures the legacy key manager is enabled when no key manager
(such as Barbican) has been specified. This restores the previous behavior,
where the legacy key manager was enabled by default.
[0] https://review.openstack.org/484501
[1] https://review.openstack.org/485322
Closes-Bug: #1706389
Change-Id: Idc92f7a77cde757538eaac51c4ad8dc397f9c3d3
| -rw-r--r-- | manifests/profile/base/cinder/api.pp | 11 | ||||
| -rw-r--r-- | manifests/profile/base/nova/compute.pp | 11 | ||||
| -rw-r--r-- | spec/classes/tripleo_profile_base_cinder_api_spec.rb | 14 | ||||
| -rw-r--r-- | spec/classes/tripleo_profile_base_nova_compute_spec.rb | 14 | ||||
| -rw-r--r-- | spec/fixtures/hieradata/step4.yaml | 3 |
5 files changed, 46 insertions, 7 deletions
diff --git a/manifests/profile/base/cinder/api.pp b/manifests/profile/base/cinder/api.pp index 54880ad..892e4ed 100644 --- a/manifests/profile/base/cinder/api.pp +++ b/manifests/profile/base/cinder/api.pp @@ -43,6 +43,12 @@ # (Optional) Whether TLS in the internal network is enabled or not. # Defaults to hiera('enable_internal_tls', false) # +# [*keymgr_api_class*] +# (Optional) The encryption key manager API class. The default value +# ensures Cinder's legacy key manager is enabled when no hiera value is +# specified. +# Defaults to hiera('cinder::api::keymgr_api_class', 'cinder.keymgr.conf_key_mgr.ConfKeyManager') +# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. @@ -53,6 +59,7 @@ class tripleo::profile::base::cinder::api ( $certificates_specs = hiera('apache_certificates_specs', {}), $cinder_api_network = hiera('cinder_api_network', undef), $enable_internal_tls = hiera('enable_internal_tls', false), + $keymgr_api_class = hiera('cinder::api::keymgr_api_class', 'cinder.keymgr.conf_key_mgr.ConfKeyManager'), $step = Integer(hiera('step')), ) { if $::hostname == downcase($bootstrap_node) { @@ -75,7 +82,9 @@ class tripleo::profile::base::cinder::api ( } if $step >= 4 or ($step >= 3 and $sync_db) { - include ::cinder::api + class { '::cinder::api': + keymgr_api_class => $keymgr_api_class, + } include ::apache::mod::ssl class { '::cinder::wsgi::apache': ssl_cert => $tls_certfile, diff --git a/manifests/profile/base/nova/compute.pp b/manifests/profile/base/nova/compute.pp index 3eae880..a9a1f94 100644 --- a/manifests/profile/base/nova/compute.pp +++ b/manifests/profile/base/nova/compute.pp @@ -27,9 +27,16 @@ # (Optional) Whether or not Cinder is backed by NFS. # Defaults to hiera('cinder_enable_nfs_backend', false) # +# [*keymgr_api_class*] +# (Optional) The encryption key manager API class. The default value +# ensures Nova's legacy key manager is enabled when no hiera value is +# specified. +# Defaults to hiera('nova::compute::keymgr_api_class', 'nova.keymgr.conf_key_mgr.ConfKeyManager') +# class tripleo::profile::base::nova::compute ( $step = Integer(hiera('step')), $cinder_nfs_backend = hiera('cinder_enable_nfs_backend', false), + $keymgr_api_class = hiera('nova::compute::keymgr_api_class', 'nova.keymgr.conf_key_mgr.ConfKeyManager'), ) { if $step >= 4 { @@ -37,7 +44,9 @@ class tripleo::profile::base::nova::compute ( include ::tripleo::profile::base::nova # deploy basic bits for nova-compute - include ::nova::compute + class { '::nova::compute': + keymgr_api_class => $keymgr_api_class, + } # If Service['nova-conductor'] is in catalog, make sure we start it # before nova-compute. Service<| title == 'nova-conductor' |> -> Service['nova-compute'] diff --git a/spec/classes/tripleo_profile_base_cinder_api_spec.rb b/spec/classes/tripleo_profile_base_cinder_api_spec.rb index 03e2fd0..b9a9854 100644 --- a/spec/classes/tripleo_profile_base_cinder_api_spec.rb +++ b/spec/classes/tripleo_profile_base_cinder_api_spec.rb @@ -18,6 +18,10 @@ require 'spec_helper' describe 'tripleo::profile::base::cinder::api' do shared_examples_for 'tripleo::profile::base::cinder::api' do + before :each do + facts.merge!({ :step => params[:step] }) + end + let(:pre_condition) do "class { '::tripleo::profile::base::cinder': step => #{params[:step]}, oslomsg_rpc_hosts => ['127.0.0.1'] }" end @@ -40,7 +44,10 @@ describe 'tripleo::profile::base::cinder::api' do } } it 'should trigger complete configuration' do - is_expected.to contain_class('cinder::api') + is_expected.to contain_class('cinder::api').with( + # Verify legacy key manager is enabled when none is set in hiera. + :keymgr_api_class => 'cinder.keymgr.conf_key_mgr.ConfKeyManager', + ) is_expected.to contain_class('cinder::ceilometer') end end @@ -63,7 +70,10 @@ describe 'tripleo::profile::base::cinder::api' do } } it 'should trigger complete configuration' do - is_expected.to contain_class('cinder::api') + is_expected.to contain_class('cinder::api').with( + # Verify proper key manager is enabled when value is set in hiera. + :keymgr_api_class => 'castellan.key_manager.barbican_key_manager.BarbicanKeyManager', + ) is_expected.to contain_class('cinder::ceilometer') end end diff --git a/spec/classes/tripleo_profile_base_nova_compute_spec.rb b/spec/classes/tripleo_profile_base_nova_compute_spec.rb index b3959c4..22881ac 100644 --- a/spec/classes/tripleo_profile_base_nova_compute_spec.rb +++ b/spec/classes/tripleo_profile_base_nova_compute_spec.rb @@ -18,12 +18,19 @@ require 'spec_helper' describe 'tripleo::profile::base::nova::compute' do shared_examples_for 'tripleo::profile::base::nova::compute' do + before :each do + facts.merge!({ :step => params[:step] }) + end context 'with step less than 5' do let(:params) { { :step => 1, } } it { - is_expected.to contain_class('tripleo::profile::base::nova::compute') + is_expected.to contain_class('tripleo::profile::base::nova::compute').with( + # Verify legacy key manager is enabled when none is set in hiera. + :keymgr_api_class => 'nova.keymgr.conf_key_mgr.ConfKeyManager', + ) + is_expected.to_not contain_class('tripleo::profile::base::nova') is_expected.to_not contain_class('nova::compute') is_expected.to_not contain_class('nova::network::neutron') @@ -50,7 +57,10 @@ eos let(:params) { { :step => 4, } } it { - is_expected.to contain_class('tripleo::profile::base::nova::compute') + is_expected.to contain_class('tripleo::profile::base::nova::compute').with( + # Verify proper key manager is enabled when value is set in hiera. + :keymgr_api_class => 'castellan.key_manager.barbican_key_manager.BarbicanKeyManager', + ) is_expected.to contain_class('tripleo::profile::base::nova') is_expected.to contain_class('tripleo::profile::base::nova') is_expected.to contain_class('nova::compute') diff --git a/spec/fixtures/hieradata/step4.yaml b/spec/fixtures/hieradata/step4.yaml index 0b53225..fd24beb 100644 --- a/spec/fixtures/hieradata/step4.yaml +++ b/spec/fixtures/hieradata/step4.yaml @@ -1,9 +1,10 @@ --- step: 4 +cinder::api::keymgr_api_class: 'castellan.key_manager.barbican_key_manager.BarbicanKeyManager' +nova::compute::keymgr_api_class: 'castellan.key_manager.barbican_key_manager.BarbicanKeyManager' # items needed for tripleo::profile::base::cinder::volume tripleo::profile::base::cinder::volume::iscsi::cinder_iscsi_address: '127.0.0.1' tripleo::profile::base::cinder::volume::nfs::cinder_nfs_servers: - '127.0.0.1' cinder::backend::eqlx::eqlx_chap_login: 'user' cinder::backend::eqlx::eqlx_chap_password: 'user' - |